Re: [OAUTH-WG] 2 Leg with OAuth 2.0

Eran Hammer-Lahav <> Tue, 29 November 2011 20:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 160451F0CDA for <>; Tue, 29 Nov 2011 12:38:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Nx+uGA9joAW7 for <>; Tue, 29 Nov 2011 12:38:29 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 6F1B91F0C84 for <>; Tue, 29 Nov 2011 12:38:29 -0800 (PST)
Received: (qmail 4997 invoked from network); 29 Nov 2011 20:38:28 -0000
Received: from unknown (HELO ( by with SMTP; 29 Nov 2011 20:38:28 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([]) with mapi; Tue, 29 Nov 2011 13:38:22 -0700
From: Eran Hammer-Lahav <>
To: Brian Hawkins <>, "" <>
Date: Tue, 29 Nov 2011 13:38:17 -0700
Thread-Topic: [OAUTH-WG] 2 Leg with OAuth 2.0
Thread-Index: Acyu1ZBEiSiJVmm1SLurJ2pJcptthwAASXcA
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723452856C6DD1@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <> <90C41DD21FB7C64BB94121FBBC2E723452856C6DBE@P3PW5EX1MB01.EX1.SECURESERVER.NET> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E723452856C6DD1P3PW5EX1MB01E_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] 2 Leg with OAuth 2.0
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 29 Nov 2011 20:38:32 -0000

Both MAC and Bearer work in this setup, just think of them as HMAC-SHA-1 and PLAINTEXT in OAuth 1.0. In Bearer, your token is the client secret and in MAC, the client secret is the key.


From: [] On Behalf Of Brian Hawkins
Sent: Tuesday, November 29, 2011 12:28 PM
Subject: Re: [OAUTH-WG] 2 Leg with OAuth 2.0

Maybe I'm making this harder then it should be.

Here is the situation:  Site A and B both trust each other.  Site A needs to update user information at site B.

With OAuth 1.0 Site A would use it's consumer key and secret to sign the update call to Site B (no access token involved).  Only one message is sent.

The closest I can come to the above with OAuth 2.0 is to use the MAC token scheme and sign the request with the consumer secret.  Is that valid?  I kind of get the idea that the protocol doesn't care.

It feels like the bearer scheme just doesn't work for what I'm trying to do.


On Tue, Nov 29, 2011 at 1:06 PM, Eran Hammer-Lahav <<>> wrote:
This functionality can be implemented in two main ways:

1.       Using the client credentials flow to get an access token, then using the protocol as usual

2.       Just using the Bearer (over SSL) or MAC token schemes without the rest of OAuth


From:<> [<>] On Behalf Of Brian Hawkins
Sent: Tuesday, November 29, 2011 11:49 AM
Subject: [OAUTH-WG] 2 Leg with OAuth 2.0

I'm having trouble finding information on how to do 2leg authentication with OAuth 2.0.  Does it even support it?